We have always been taught that once your system is compromised you need to either restore a clean backup or re-install the system in order to be safe. This is because the person who compromised the machine might have installed rootkits, backdoors or tampered with system tools to gain future access to the machine or spy on your network. A custom rootkit might not be caught by an antivirus solution so the only safe recourse is restoring the whole system to a clean state.

Unfortunately it seems that we are quickly getting to a point where restoring the system to a clean state might not be enough. I have recently come across a blog post by a security researcher at Sogeti ESEC Labs where the researcher tried (successfully) to install malware on the network card firmware. The malware in question was quite basic and simply hid ICMP requests with a TTL of 42 from the system as well as responded to said requests with the same TTL even when the OS had disabled the interface. While there is still nothing to worry about as far as we know it does illustrate the dangers we might experience in the future.

Such malware will be limited by the size of the firmware and the interaction that the device has with the system that can be exploited. As technology moves forward however, these will grow allowing increasingly sophisticated modifications to be implemented. Even now I would imagine that changing the current malware to redirect all the traffic it gets to a remote IP address while hiding said activity from the system is quite doable. This would potentially mean that a remote attacker compromising the system might have the option to install a stealthy sniffer that will not be removed by formatting the compromised system and re-installing.

If such a scenario were to occur, the cost of compromising will increase drastically because re-installing your system will not be enough. One will either need to toss the system and rebuild it from scratch or at the very least toss the Electrically Erasable Programmable Read-Only Memory (EEPROMS) containing the firmware and install a new clean version.

Tools can be developed to ensure firmware is not compromised by vendors, but then again just as a system is compromised once, you cannot depend solely on antivirus to give you a genuine result and you would therefore not be able to trust these tools. If such malware is developed in the future, then being proactive and ensuring that your system can not be compromised will definitely be a must.